being  as  relevant  as  Cloud  Access  Security  Brokers  (CASB)  for  SAAS  and  Data  Security  Posture
            Management for IAAS.



            Enter APIs: the Invisible Workhorses of the Digital Age

            APIs  are  the  bridges  enabling  software  applications  to  interact,  share  data,  and  execute  business
            functions. According to the 2022 Postman State of the API report, organizations are now utilizing an
            average of 218 APIs – a testament to their increasing pervasiveness and the critical role they play in how
            applications are consumed. Browsers, mobile apps and API platforms like Postman are now the three
            most common ways by which modern applications are accessed.

            But with this proliferation comes a new set of risks. APIs have become a prime target for hackers due to
            the vast amount of sensitive data they handle and strong need for authentication and authorization, with
            several high-profile data breaches in recent years being traced back to API vulnerabilities being exploited
            by attackers.

            This surge in API-related breaches is a clear indicator that API security is no longer an afterthought but
            a primary requirement in DLP strategies, for several reasons:



               1.  API-centric data breaches: APIs often expose sensitive data in the payload, many times without
                   the  right  authentication  and  authorization  controls,  making  them  attractive  targets  for
                   cybercriminals. Their vulnerability to breaches necessitates robust API security measures. Broken
                   Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) being top
                   attack vectors in OWASP API top 10 2023 as well

               2.  Growth in API development and usage: APIs are becoming increasingly ubiquitous. According to
                   the  2022  Postman  State  of  the  API  report,  organizations  have  an  average  of  218  APIs,
                   representing a significant increase from previous years. For example, Netflix reportedly receives
                   billions of API calls every day, underscoring how central APIs have become to their operations.
                   Gartner also chimed in on the growth of APIs, stating 94% of organizations use or are planning
                   to use public APIs provided by third parties; up from 52% in 2019; 90% of organizations use or
                   are  planning  to  use  private  APIs  provided  by  partners;  up  from  68%  in  2019;  and  80%
                   organizations provide or are planning to provide publicly exposed APIs; up from 46% in 2019.
                   With this increased reliance comes a higher number of potential points of failure, making API
                   security a growing priority for most CSO’s.

               3.  APIs have become the universal attack vector: What makes APIs so interesting from a hacker’s
                   perspective  is that they expand the attack surface across all vectors. They now present the
                   largest attack surface we have ever encountered in the industry. In the past, hackers had to find
                   ways of bypassing existing solutions, such as WAFs, DLP, API Gateways, etc., in order to find
                   data  and  disrupt  systems.  Now,  they  can  simply  exploit  an  API,  obtain  unfettered  access  to
                   sensitive data, and not even have to exploit the other solutions in the security stack. Hence the





            Cyber Defense eMagazine – September 2023 Edition                                                                                                                                                                                                          126
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.